Latest news with #CyberSecurityAgency
CBC
6 days ago
- Business
- CBC
Canada's cybersecurity head offers rare insight into Nova Scotia Power breach
The head of Canada's cyber-defence agency is offering some insight just weeks after a ransomware attack against Nova Scotia Power. The utility's computer systems were breached by ransomware hackers on March 19, but Nova Scotia Power did not discover it until April 25. The company disclosed the cybersecurity incident three days after that. About 280,000 customers — more than half of the utility's customers in the province — were informed by letter that their personal information may have been compromised in the attack. The data included names, addresses, phone numbers, birth dates, driver's licences, social insurance numbers and banking information. On Thursday, the Nova Scotia Energy Board granted approval to Nova Scotia Power to move forward with a $1.8-million project to improve cybersecurity. The attack and its aftermath have sparked many questions about the security of the company's IT systems. Rajiv Gupta, head of the Canadian Centre for Cyber Security, spoke to CBC News in a rare interview about how these types of incidents unfold and what people and organizations like Nova Scotia Power can do to protect themselves. This interview has been edited for length and clarity: Can you explain a bit about your agency and what it does? The Canadian Centre for Cyber Security is really Canada's cyber defence agency. So, we provide advice, guidance and services to critical infrastructure systems of importance to Canada. Work primarily with the federal government is where we had started, but have really grown into critical infrastructure. And our goal is to raise cyber resilience across Canada. We fall under CSE, which is the Communications Security Establishment, and CSE has a mandate for foreign intelligence, which goes back 80 years in terms of WWII. We report to the minister of national defence. What do you make of the recent attack against Nova Scotia Power, which did ultimately affect about 280,000 customers? We don't comment specifically on specific incidents, but as a cyber centre … any critical infrastructure providers that have incidents can report their incidents to the cyber centre. So last year we saw about 1,500 incidents. We see a lot of these, and that's what's really important and kind of sad to understand as well, that this is happening so often in terms of cyber-criminal organizations comprising critical infrastructure organizations in Canada. Their motivation is money. They would compromise the network. So basically getting their software inside the network, but then stealing all the sensitive information from the organization and … then going ahead and encrypting systems and locking people out of their system. So we used to call that double extortion. So that way the criminal organization could threaten to release sensitive information, unless a ransom was paid, or also basically not give back access to systems unless a ransom was paid. So that was what we're seeing and it was incredibly impactful to system operators within Canada. In this case, Nova Scotia Power did not pay the ransom that was asked of them. Is that common practice? What we always do is we provide advice and guidance to organizations and we say, "it's a business decision," because we're not the ones operating their business, and we don't know their exact context, say if it's a threat to life or something else. But we always say, 'Hey there's a lot of downside to paying the ransom.' First of all, you're funding these criminal organizations. So, the more ransom is paid, the more we're going to proliferate this sort of behaviour. At the same point in time, you're paying this ransom to criminals. What's that contract worth in the end anyway? Is there really any guarantee that they're either not going to share the confidential information, or they're actually going to give you the keys to decrypt your systems and get your access back? The proceeds of this can go to criminal or even terrorist type causes as well, so, worrisome in that sense. Are you able to say whether Nova Scotia Power had actually contacted your agency [following the breach]? The one thing that I will say is that they did reach out to us. We always recommend that organizations that are victimized reach out to the cyber centre. We've seen many of these in the past and we have advice and guidance to share. And not only can we help the organization in their recovery, and in terms of paying the ransom, ransom might help you unlock your systems, but there's still always recovery costs that are part of this as well, regardless of whether you work with the criminal organization or not. But in this case, they did reach out to us. And the other thing we always encourage is … we hope that they share information about the compromise as well. Because we can take that and share that with other critical infrastructure organizations in Canada. Did they share with you the extent of the breach? We wouldn't go into any details in that sense, but they did notify us of the breach. Is there any sense of who might have been the perpetrator in this attack from your perspective? Nova Scotia Power says it has a sense of who it is. I wouldn't comment on that. There's various groups and they often change shapes and forms as they get disrupted. Unfortunately it's an ever-evolving group of cyber criminals that are out there that seem to be performing these behaviours. And we have an assessment out in terms of a cyber criminal activity in Canada as well that kind of points to the groups that we've seen as active. About 140,000 [social insurance numbers] were included in the stolen data. How serious is this, when that type of personal information is accessed? I couldn't speak to the seriousness of that type of information, but what I will say is that this is exactly what cyber criminals go after. And depending on the type of information, it'll fetch a different price on the dark web. Organizations will collect personal information, whether it's SIN numbers, or credit card numbers, or health card numbers, other sorts of confidential information. Typically that information gets resold on the dark web for other criminals that are going to actually monetize that for other purposes. It's kind of a not very positive circle that exists on the dark web. The way this actually works in terms of what we call "cybercrime as a service" is that it's a whole ecosystem of criminal entities that actually work together. And because it's typically run out of operations that are beyond the legal borders — often in Russian speaking countries where law enforcement won't necessarily prosecute — it's very difficult to disrupt these organizations. And even when law enforcement is able to disrupt them, it's fairly easy for them to kind of reconstitute themselves. What are some of the risks when this personal information is shared on the deep web or dark web? Once that information is out there, that often just spurs the next cycle of fraud. Whether it's spear phishing emails that are using that information, whether it's leveraging information about an organization or their clients to actually further compromise them. That's why it's really important to take note for everyone to be mindful of the things they can do to protect themselves. Be extra vigilant of understanding what's being mailed to you and double checking those links and making sure it's coming from an authenticated source and whatnot. Being mindful of content, making sure you have strong authentication in terms of how you're actually accessing applications as well. What would be your advice to Nova Scotia Power? Really for all of these organizations, do your due diligence. Understand what your really critical elements are of your organization that would be your worst-case scenario. And then once you know what your worst-case scenario is, then you can defend that. Build the plan according to our ransomware playbook, have the backups in place, and have the strong measures in place. The utility [Nova Scotia Power] applied for funding about a month before the ransomware attack. They cited the Canadian Centre for Cyber Security's most recent threat assessment, pointing out that power grids are so interconnected that they can be really vulnerable to these types of attacks. What would be the warning signs of an attack like this? One of the things that we've been very mindful of … as the world gets more hostile, we're worried about impacts to critical infrastructure like electrical guide grids, pipelines, these sorts of things. A lot of them are controlled by systems that were never meant to be connected to the Internet. Nowadays, as people are looking to optimize efficiency, and connect to cloud services and connect sensors to networks, they're becoming more exposed to threat actors from around the world. Normally your electrical grid would only be threatened by people that are actually in the country and nearby, but as soon as you connect it to the Internet, you're pretty much opening a lot of this up to people from anywhere. We are not a regulator. The cyber centre itself provides advice, guidance and services, but we have no authority over any of these entities. We work voluntarily to provide the best practices.
CNA
11-06-2025
- CNA
Singapore authorities take down over 1,000 IP addresses linked to cybercrimes
SINGAPORE: Authorities in Singapore have taken down more than 1,000 internet protocol (IP) addresses based in the country and believed to have been linked to cybercrimes. Officers from the Cybercrime Command under the Criminal Investigation Department of the Singapore Police Force (SPF) worked with the Cyber Security Agency of Singapore (CSA) to take down the IP addresses here. This was part of a recent four-month operation across 26 countries led by the global police organisation Interpol and named Operation Secure, the police said in a news release on Wednesday (Jun 11). The operation against cybercriminal infrastructure was conducted from January to April this year. Law enforcement agencies from the 26 countries worked together to locate physical servers which it believed to be perpetuating malicious software (malware) known as "infostealers". The operation involved mapping physical networks and executing targeted takedowns. The global effort led to the taking down of more than 20,000 malicious IP addresses and domains, the police said in its news release. The malware is "designed to secretly infiltrate computer systems and steal sensitive information". The stolen data is then sent to a remote server controlled by the cybercriminals, said the police. It added that the "takedown of the malicious IP addresses and domains linked to the infostealers", ceases the cybercriminal's control over compromised systems and effectively disrupts cross-border criminal syndicates. The police said that its active participation in the operation reinforces the force's commitment to safeguarding Singaporeans from increasingly sophisticated cybercrime. The strong engagement with Interpol also reinforces SPF's goal to be a global partner in fighting cybercrime, it said. "Such collaborations are essential to keeping Singapore safe and secure from threat actors operating under the anonymity of the internet." 'Our strong collaboration with key local and international partners in Operation Secure was a key success factor in dismantling these cybercriminal networks. "We will continue to work with CSA and other like-minded partners to protect Singaporeans and businesses from threats in cyberspace; and will spare no effort to disrupt cyber criminals and their operations," said Cybercrime Command Commander, Assistant Commissioner of Police Paul Tay.
CNA
29-05-2025
- Business
- CNA
At least 146 Income Insurance customers hit by ransomware attack on data handling firm
SINGAPORE: A ransomware attack on a Singapore-based data handling service provider has compromised the personal information of at least 146 Income Insurance policy holders. The company in question, DataPost, is in the early stages of investigating the attack, the firm said on Thursday (May 29). DataPost was responsible for the printing and mailing of some of Income Insurance policy holders' documents, the insurer said in a separate statement, adding that affected customers' bonus statements had been compromised. DataPost, which works with government agencies and financial institutions, among others, told CNA its investigations "will take time to complete". In response to queries from CNA, a spokesperson from the Personal Data Protection Commission (PDPC) said that it is aware of the case and is also investigating. A spokesperson from the Cyber Security Agency told CNA that the agency is aware of the incident and has reached out to DataPost to offer assistance. "We are keeping a close watch on developments," they added. In ransomware attacks, threat actors typically use malicious software to encrypt files on servers, then demand a ransom in exchange for unlocking these files. The attack on DataPost was flagged on May 27 by infosecurity blog RedPacket Security and cybersecurity platform HookPhish. The breach led to data exfiltration, or the unauthorised transfer of data, and appeared to involve multiple tools and personnel, suggesting a coordinated attack, according to RedPacket Security. The threat group was identified as "direwolf", and allegedly used various infostealers – or malicious software that breaches computer systems – to gather the data. CNA has contacted DataPost for further comment on the scale and severity of the attack. INCOME INSURANCE COMPROMISED In its statement, Income Insurance said that it was alerted to the incident on Sunday. The compromised data included information such as names, postal addresses, policy numbers and plans, and annual bonuses for the year 2024. Upon being notified, the insurer immediately suspended all printing jobs with DataPost. The company also blocked connections to DataPost and reinforced firewall restrictions. Income Insurance said it was on "heightened alert" to monitor for any suspicious activity, and is reaching out to all policy holders who might have been impacted by the breach, the company said. It added that there is currently no evidence of unauthorised access to any of its digital platforms and that it will "work closely" with both relevant authorities and DataPost to assess the full impact of the incident. The insurer's CEO Andrew Yeo said that protecting the privacy and security of policy holders' personal information was of "utmost importance". "We believe in informing our policy holders promptly and empathise with the concern this incident may cause," he said, adding that the company will continue to provide updates as more information becomes available. DataPost provides e-invoicing services to financial institutions, insurance companies, telecommunication companies and government agencies in Singapore and Malaysia. It handles over 40 million documents per month, according to its website. The company said its facilities are audited annually by banks and third-party auditors to ensure compliance with data security and operational security requirements. Singapore's Infocomm Media Development Authority (IMDA) has accredited DataPost as the service provider for InvoiceNow, a nationwide e-invoicing network. Through InvoiceNow, companies can transmit e-invoices in a standard digital format across different finance systems. DataPost told CNA that it will comply with all regulatory obligations throughout the course of the investigation.
Al Jazeera
31-01-2025
- Business
- Al Jazeera
Singapore's anti-scam law casts critical eye on ‘benevolent paternalism'
Singapore – Last year, Charlotte Goh received a call from someone claiming to be an officer with Singapore's Cyber Security Agency. The caller told Goh that her number was linked to a scam targeting Malaysians and directed her to the 'Malaysian Interpol' to file a report. As a sales professional who often lists her number in public spaces, Goh, who asked to use a pseudonym, found the story plausible. Over two hours, Goh shared personal details such as her name and identification number, though she hesitated to disclose her exact bank details. 'I wasn't sure if it was a scam – it sounded so true – but I was also afraid it might be,' she told Al Jazeera. When she was asked to photograph herself with her official identity card, Goh realised she was being scammed and hung up. Luckily, Goh, 58, was able to quickly change her passwords and transfer funds into her daughter's account before any money could be stolen. Others in her circle of friends have not been so fortunate. 'Some friends lost thousands,' she said. Singapore, one of the world's wealthiest and internet-savvy countries, has become a prime target for global scammers. In the 2023 edition of the Global Anti-Scam Alliance's annual report, Singapore had the highest average loss per victim of all countries surveyed, at $4,031. In the first half of 2024, reports of scams hit a record high of 26,587, with losses topping $284m. To combat this, the government has turned to unprecedented measures. Earlier this month, Singapore's parliament passed first-of-its-kind legislation granting authorities new powers to freeze the bank accounts of suspected scam victims. Under the Protection from Scams Bill, designated officers can order banks to block an individual's transactions if they have reason to believe they intend to transfer funds, withdraw money, or use credit facilities to benefit a scammer. Those affected still retain access to funds for daily living expenses. Singaporean police say that convincing victims they are being scammed is a persistent challenge. Despite numerous anti-scam initiatives, education efforts, and banks' introduction of features like kill switches, 86 percent of all reported scams in the city-state between January and September 2024 involved the willing transfer of funds. Common tactics used by scammers include impersonating government officials and creating the illusion of a romantic relationship. 'This Bill allows the police to act decisively and close a gap in our arsenal against scammers,' Minister of State for Home Affairs and Social and Family Development Sun Xueling told parliament. While the law has been hailed by its supporters as a critical tool to fight rampant scams, it has also stoked debate about the Singaporean government's famed tendency to intervene in private matters, a model of governance sometimes described as 'benevolent paternalism'. Critics see the law as an extension of the paternalistic governance embodied by Singapore's founding leader, the late Lee Kuan Yew, who once declared that he was 'proud' for the city-state to be known as a nanny state and claimed its economic success was made possible by intervening in personal matters such as 'who your neighbour is, how you live, the noise you make, how you spit'. In his speech to parliament before the bill's passage, Jamus Lim, an MP with the minor opposition Workers' Party, expressed concern about the intrusive nature of the law, suggesting individuals be allowed to opt out of its protections or designate trusted family members as administrators of accounts instead. 'One may be uncomfortable specifically with how the bill grants law enforcement an enormous amount of latitude to intervene and restrict what is ultimately a private transaction,' Lim said. Bertha Henson, a former editor with the Straits Times newspaper, said the legislation was only the latest example of the government intervening in 'so many parts of our lives'. 'Can we be adults and not keep running to the State for protection?' Henson said in a Facebook post. 'Because we really should think a lot further and ask who is going to protect the individual from the State as well. Or whether we can always be assured that the right hands are on the helm.' The discussion comes as the government is rolling out a range measures to enhance public security, including plans to double the number of police surveillance cameras to more than 200,000 by the mid-2030s and legal amendments granting police new powers to detain individuals with mental health conditions that are deemed to be a safety risk. Other recent laws, such as the Protection from Online Falsehoods and Manipulation Act and Manipulation Act and the Foreign Interference (Countermeasures) Act, reflect efforts to address misinformation and external influence. While cast as measures to protect national security and social stability, they also grant authorities broad discretionary powers. Walter Theseira, an associate professor of economics at the Singapore University of Social Sciences (SUSS), said the government's anti-scam legislation reflects the steep economic and social costs of fraud in the city-state. Theseira noted that many retirees opt to manage significant amounts of money outside Singapore's mandatory savings scheme used to fund retirement, healthcare and housing needs, putting them 'at risk of losing it all'. 'Unfortunately, the right to do what you want with your funds may have to be limited if your decisions end up making you dependent on society or encourage more criminal activity,' Theseira told Al Jazeera. Eugene Tan, an associate professor at Singapore Management University's (SMU) School of Law, said the growing losses from scams had spurred a shift towards a 'preemptive approach' focused on preventing scams before they occur. 'If not more is done urgently and robustly, then we are not far from an unmitigated disaster,' Tan told Al Jazeera. 'The government is alive to the social cost and it will be remiss in its duties not to deal with the imminent crisis.' Trust in government Proponents of the law have argued it is tightly defined in its scope. The legislation specifies that restriction orders will only be issued as a last resort, if all other efforts to convince the individual have failed. Individuals also have the right to appeal restriction orders, which initially last for 30 days and can be extended up to five times. While the law could appear intrusive to outsiders, Singaporeans widely expect the government to take an active role in overseeing the welfare and wellbeing of the public, said Tan Ern Ser, an associate professor of sociology at the National University of Singapore (NUS). 'In a sense, Singaporeans want 'parental support' but not the 'control' aspect of paternalism,' Tan told Al Jazeera, describing the public's expectation for a 'selective, narrower form of paternalism'. What sets Singapore apart is the public's high trust in the government, Tan said, citing surveys such as the Asian Barometer and World Values Survey. Tan pointed out that Singaporeans widely accepted stay-at-home orders, compulsory mask-wearing and contact tracing during the COVID-19 pandemic, which was not 'politicised to any significant degree'. Yip Hon Weng, an MP with the governing People's Action Party, said that the expanded police powers were a necessary response to the growing problem of scams. 'This ability to act swiftly is a game changer for victims who have been repeatedly targeted, as it prevents further financial losses at critical moments,' Yip told Al Jazeera, sharing the case of an elderly resident in his constituency who had lost his life savings to a scammer posing as a government official. 'Temporarily restricting account access is a drastic step but one that could save individuals from financial ruin. However, such measures must be exercised with care to avoid undermining public trust.' Yip said the law's 'intrusiveness – temporarily restricting access to accounts – requires a delicate balance' between safeguarding personal agency and robust implementation. While the law is suited to Singapore's political context, such measures may not be so easily adopted in the global context, some analysts say. 'Countries will have to decide what will work for them and whether there is buy-in for the legislative regime to deal with the scams,' the SMU's Tan said, suggesting that there is a limit to how much state can intervene, and that 'the political cost of such measures cannot be overlooked'. Already, the law has attracted negative online chatter and cost the government some political capital, said Theseira of SUSS, adding that it 'created a talking point that may be used against them in the upcoming elections'. Singapore's general elections, which are scheduled to take place by November, come amid growing discontent over housing affordability, rising living costs, income inequality, increasing polarisation and perceived restrictions on dissent in civil society. The NUS's Tan said it was unlikely the anti-scam law would set a global precedent in an era of growing distrust in politicians and government. 'All in all, my view is that a high degree of trust in government/institutions, social cohesion and consensus is necessary when an intervention is designed to restrict or restrain for a good, legitimate cause, but with society becoming more fractured and polarised, and entering a post-truth era, 'fair and foul, and foul is fair',' Tan said, quoting Macbeth.
